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(57) Abstract 

A system for providing policy management in a network (110) that includes nodes (100, 120, 130, 140, 150, 160, 170, 180, 190) 
operating in multiple protocol layers and having enforcement functions. Multiple netv^ork devices, such as routers (160), hubs 
(190), remote access equipment (150), switches (120), repeaters (140), bridges (170), and network cards (130, 180), and end 
system processes having security functions are configured to contribute to implementation of policy enforcement in the network 
(110). By distributing policy enforcement functionality to a variety of network devices and end systems, a pervasive policy 
management system is implemented. The policy management system includes a policy implementation component that accepts 
policy, i.e. instructions or rules, that define how the network device should behave when confronted with a particular situation. 
The management system further includes a management station (100), with a user interface (101) operating pursuant to a first 
process capable of providing an object to the network, the object including variables and one of a method or instructions to 
locate a method, executable on the network to set up a second process to enforce a portion of the policy. 

(57) Abrege 

L'invention porte sur un systeme de gestion de la politique d'un reseau (110) comportant des noeuds (100, 120, 130, 140. 150, 
160, 170, 180, 190) fonctionnant dans plusieurs couches de protocoles a fonctions executoires. De multiples elements^ du reseau 
tels que des routeurs (160), des concentrateurs (190), des equipements d'acces a distance (150), des commutateurs (120), des 
repeteurs (140), des passerelles (170), des cartes reseaux (130, 180), et des processus de systeme finaux a fonctions 
securltaires sont congus pour contribuer a mettre en oeuvre I'execution de la politique dans le reseau (110). La repartition des 
fonctions executoires de ta politique entre divers dispositifs et systemes finaux du reseau donne un systeme de gestion de la 
politique puissant qui comporte un element de gestion d'acceptation de la politique c.-a-d. des instructions ou regies 
definissant comment un dispositif du reseau doit se com porter face a une situation particuliere. Le systeme de gestion comprend 
en outre une station (100) de gestion munie d'une interface (101) utilisateur agissant selon un premier processus capable de 
fournir au reseau un objet comportant des variables et Tune des m6thodes ou instructions locaiisant une methode executable sur 
le reseau pour etablir un deuxieme processus faisant executer une partie de la politique. 
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DYNAMIC POLICY MANAGEMENT APPARATUS AND METHOD 
USING ACTIVE NETWORK DEVICES 

BACKGROUND OF THE INVENTION 

Field of the Invention 

The present invention relates to establishing and enforcing system policy on a network; 
and more specifically to systems employing dynamic policy management using active 
networking devices to establish and enforce system policy. 

Discussion of the Related Art 

The Internet has grown significantly over the past several decades, yet there are signs 
that applications would benefit from a richer set of Internet services. For example, the 
expected growth in voice over IP (VoIP) traffic on the Internet will change its overall traffic 
characteristics. While up to now real-time delivery requirements for IP traffic have been rare, 
VoIP packets must be delivered within fairly strict time constraints. Since the volume of 
VoIP traffic is likely to grow into a high percentage of Intemet traffic, the services required 
by the Intemet will change. As other real-time traffic, such as that supporting video, becomes 
prominent, the effect on Intemet services will be even more dramatic. 

The growth of the Intemet and the use of IP based technology has also created a 
corresponding grov\.th in the number of systems administrators must manage. This scaling 
problem is being addressed by the use of policy based management systems, whereby 
administrators specify what should happen and leave it to the policy management system to 
determine procedures to implement the policy. 

The system administrators' task of administering policy is even further comphcated by 
legacy systems. As networks evolve, older equipment, i.e., legacy systems, remain that may 
not be able to participate in a particular management policy. Alternately, legacy systems may 
be able to participate, but the methods required to execute the policy are different, thereby 
complicating the implementation of the policy. Because of the variety of devices and legacy 
systems, the complexity of implementing a management policy makes it difficult to establish 



wo 00/41091 



PCT/US99/28199 



the policy across all layers and device types of the network, and particularly difficult to 
maintain such a policy management system even if it could be successfully implemented. 

Typically in the prior art a central management station that dispatches instructions to 
the network devices as needed controls the policy management. The instructions may be 
very basic, such as telling the device to shut down, or very complex requiring the device. 
Often the instructions are in response to repetitive processes that are executed periodically, 
i.e., daily or weekly, or on the occurrence of some event. If system congestion is high or the 
management system is inoperative, the appropriate action may not be taken, thereby creating 
system performance degradation; and in the worse case scenario this could lead to system 
failure. 

Accordingly, it is desirable to implement a policy management system which allows 
for system policy to be executed and maintained at the network device level across layers of 
network systems and protocols. 

SUMMARY OF THE INVENTION 

Accordingly, the present invention is directed to a dynamic policy management 
apparatus and method using active network devices that provide for policy enforcement. 

The present invention provides a system for providing policy management in a 
network that includes passive nodes and active nodes operating in multiple protocol layers 
and having enforcement functions. A variety of network devices, i.e., nodes or active nodes, 
such as routers, remote access equipment, switches, repeaters, network cards, and end system 
processes having security functions, are configured to contribute to the implementation of 
policy enforcement in the network. By distributing policy enforcement functionality to a 
variety of network devices and end systems, a pervasive policy management system is 
implemented. The policy management system includes a policy implementation component 
that accepts policy, i.e., mstructions or rules that define how the network device should 
behave when confronted with a particular siniation. The policy enforcement is performed by 
network devices having tools and resources to execute the active packets distributed 
throughout the network to enforce the defined policy. The policy being implemented can be 
implemented across multiple protocol layers and must be coordinated by the policy 
management system such that particular devices enforce that part of the policy pertinent to 
their part of the network. 
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For example, a router in the network enforces that part of the policy that is pertinent 
to those systems and network devices whose traffic might traverse the router. A switch 
enforces that part of the policy that is pertinent to those systems and network devices whose 
* traffic traverses the switch. A repeater enforces that part of the policy that is pertinent to 

5 those systems and network devices whose traffic traverses the repeater. A network uiterface 
card with processing resources (smart NIC) enforces that part of the policy that is pertinent to 
the system or device to which it is connected. In addition, other parts of the network are 
included in the policy management hierarchy, such as end system operating systems and 
applications, remote access equipment, network management systems for controlling network 

10 . traffic and monitoring network traffic, and other auxiliary systems such as name services and 
file services are included in the collection of network devices that are called upon to enforce a 
portion of the policy being implemented by the present invention. 

To implement the system policy a network manager uses a management station to 
specify policy for a network- The management station employs a policy definition system 

15 (PDS) supporting a policy definition language (PDL) to create a programming language 
active packet, which represents at least one rule of the policy, which is then encapsulated in 
preparation for transmission to the active network devices. The active packet includes, but is 
not limited to, an object-oriented programming language, such as C-H-, CAML, JAVA, and 
Python, having objects and scripting programming language, such as Practical Extraction and 

20 Report Language (PERL), Tool Command Language (TCL), or employing shells, e.g. Unix 
supports Bourne shell, Kom shell, and C-shell code. The active packet is stored in an active 
packet file on a memory device and the file is optionally signed with a digital signature. The 
active packet file is either deposited in a network directory, or other distributed database, or 
sent through the network to the enforcement device and stored in its memory. The 

25 enforcement device is signaled when a new policy, represented by the active packet file, for it 
is available. The signal may contain the active packet or it may inform the device to find the 
active packet in a network directory or distributed database. 

After the enforcement device obtains the active packet file, it is optionally verified via 
the signature to determine the privileges the active packet should be granted. The active 

3D packet file is then extracted fi*om the memory location and the active packet is prepared for 
execution. The enforcement device checks to see if it has the implementing code (ai least one 
variable, method, and/or data) for the active packet loaded in its memory. If not, the 
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enforcement device obtains the code from a distributed database or directory, or another 
enforcement device, or similar memory device. 

The policy definition language comprises a mobile programming language which in 
turn includes, but is not limited to, object-oriented and scripting programming languages. If 
the mobile programming language is an object-oriented language then the active packet 
comprises an active object, i.e. code plus data, normally referred to just as an object. For 
each object a thread of execution is established, and the object is executed. The object then 
uses the services available to it on the enforcement device to enforce the policy or a portion 
of the policy. If the mobile programming language is a scripting programming language then 
the active packets comprises active code, normally referred to just as code. The code along 
with an interpreter for interpreting the code is transferred to the enforcement device. The 
code then uses the services available to it on the enforcement device to enforce the policy or a 
portion of the policy. Several enforcement devices may be utilized to execute a certain 
pohcy. Therefore, a particular enforcement device may only enforce a portion of the policy. 

The reader should note that the remainder of the disclosure will primarily focus on 
active packets comprising objects. Those of ordinary skiU in the art vnW appreciate that 
substantially the same processes and procedures applicable to active objects are applicable to 
active code. Throughout the disclosure any reference made to an object, unless otherwise 
stated, refers to an object-oriented object and any reference made to code, unless otherwise 
stated, refers to a code associated with a scripting programming language. 

The management station software provides the system administrator with resources to 
input a list of rules describing the policy to be enforced on a network. The management 
station PDS is a software product that creates one or more programming language active 
packets as previously explained, which represent the rules. The objects, once created, are in a 
ready-to-run state and are invoked by a thread of execution to implement the processes that 
they represent The invocation of the object establishes a thread that can execute 
independently of other processes running on the various network devices. A process can 
have several threads running concurrently, each performing different jobs such as waiting for 
events to occur or performing some other time consuming task. When a thread has finished 
its job, the thread is suspended or desu-oyed and the resources utilized are returned to the 
system. 

After the creation of one or more objects, the management station software will 
encode the objects mto a transportable format. Upon the completion of the encoding, the data 
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identifying the code that the objects need in order to be executed is associated with the 
encoded transportable objects. After storing the objects to an object file, the management 
station software will optionally sign the file. The purpose of signing the file is to allow the 
enforcement device to decide which rights and privileges to grant the objects when they are 
5 executed on the enforcement device. 

The optionally signed file can either be deposited in a on a storage device, which 
includes but is not limited to a directory server or distributed database, or sent to the 
^5 enforcement device via the networic. If the file has been deposited in a directory server or 

distributed database, the management station will either provide the enforcement device with 
1 0 the address to the storage location or the device will know to retrieve the file at a specified 
location. The notification that an object file is available for the enforcement device can occur 

20 

in many ways including, but not limited to, the changing of a state or variable that the 
enforcement device monitors. 

If the enforcement device receives a signal indicating that a new policy, represented 
25 1 5 by the object file, is available for it on a directory server or distributed database, it will 

retrieve the object file. Upon retrieval or receipt of the object file, the enforcement device 
will extract the object file contents. 

The enforcement device will optionally verify the signature of the object file, as 

30 

previously stated, to determine which of its base services that it will allocate to the objects in 
20 the signed file to utilize in the implementation of its proscribed functions. The enforcement 
device will then examine the data within the file which specifies the code required by the 
35 objects. If it does not have the code stored in its memory, h will extract the code or a 

reference to the code from the file. If the code is in the enforcement device's memory it is 
then loaded into its program memory and executed. Otherwise, the device uses the reference 
25 to retrieve the code from a directory server or distributed database. 

The present invention provides distinct advantages over the prior art, in that 
traditionally, policy is represented as flat data, requiring an enforcement device to understand 
its syntax. If this syntax changes, either to add new kinds of policy terms or to restructure the 
^5 representation, all enforcement devices must be reprogrammed to parse the new syntax. 

30 With the present invention, the contract between the network device and network 

management system involves only the methods that a policy object exports. Thus, new 
methods can be added to an object class that control new aspects of policy without affecting 
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legacy enforcement devices. Also, the intemal representation of policy may change without 
affecting either the network management station or the enforcemem device. 

TTie present invention further supports a process called co-location, which enables the 
objects to be distributed with their code, or references to their code that implements the 
policy, throughout the network. Co-location enables new poUcy implementations to be 
distributed to devices without changing the underlying base implementations of the devices. 
For instance, legacy systems would have to be re-booted in order for new policy 
,5 implementations to be enabled. Co-location permits the legacy systems to continue their base 

functions midisturbed while a new policy is implementation is distributed to the enforcement 
10 devices. 

Another advantage of the present invention is the separation of policy rule 
enforcement, which is accomplished by creating an independent thread for each object 
representing a particular rule. Network administrators can independently stop or start the 
enforcemem of each rule in the policy specification witiiout affecting the enforcemem of 
25 1 5 other polices in the specification. 

Additional features and advantages of the invention will be set forth in the detailed 
description which follows, and in pan will be apparent from tiie description, or may be 
learned by practice of tiie invention. Tie aspects and oti^er advantages of the invention will 
be realized and attained by fl:e structm* particularly pointed out in the written description and 
20 claims hereof as well as the appended drawings. 

To achieve these and other advantages and in accordance with the purpose of tiie 
35 present invention, as embodied and broadly described, the presem invention can be 

chamcterized according to one aspect as a system providing dynamic poHcy managemem in a 
network, including a management station coupled to said network, the management station 
including resources to store data defming policy rules for a device in ti,e network. Resources 
m flie management station are included for producing an active packet including at least a 
variable and a method, in response to tite data defming tite policy mie. the active packet 
having a fommt Resources in the managemem station are included for sending tite active 
,5 packet to the networic device adapted to read and execute the active packet according to the 

30 format 

Another aspect of the presem invention can be characterized as a system for dynamic 
^ pohcy management in a network, including a network device coupled to said network, the 

network device including resources to receive an active packet representing a policy rule 
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from a second device in the network, the active packet having a format; resources in the 
network device for decoding the active packet according to the format, the active packet 
including a variable and a method; and resources in the network device for executing the 
active packet. 

A further aspect of the present invention can be characterized as a system for dynanfiic 
policy management in a network including a management station and a network device 
coupled to said network, wherein the management station includes: 

1) resources to store data defining a policy rule for a device coupled to the network; 

2) resources in the management station for producing an active packet including a 
variable and a method in response to the data defining the policy rule, the active packet 
having a format; and 

3) resources in the management station for sending the active packet to the networic 
device, wherein the network device includes resources to receive, decode, and execute the 
active packet according to the format. 

A still further aspect of the present invention can be characterized as a system 
providing dynamic policy management by a method, the system, including an interface 
adapted to receive instructions characterizing policy regarding control of a network; and an 
active node connected to the interface which provides a packet to the network, the packet 
including one of a variable and a method and a reference to the variable and the method, 
executable on the network to set up a process to enforce at least a portion of the policy. 

Another aspect of the present invention can be characterized as a system for dynamic 
policy management in a network, including a network node adapted to receive a packet, 
created by a first process, representing policy for control of a network; and resources in the 
network node capable of executing a packet including one of a variable and a method and 
instructions to locate the variable and the method, executable on the network node to enforce 
a portion of the policy. 

An additional aspect of the present invention can be characterized as a system for 
dynamic policy management in a network, including an active node and a network node 
coupled to said network, wherein the active node includes: 

A) resources to store data defming a policy rule for a device coupled to the network; 

B) resources in the active node for producing a packet including a variable and a 
method in response to the data defining the policy rule; and 

C) resources in the active node for sending a packet file containing one of the packet 
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and a reference to the packet to the network node, wherein the network node includes 
resources to receive, decode, and execute the packet. 

It is to be understood that both the foregoing general description and the following 
detailed description are exemplary and explanatory and are intended to provide fiirther 
5 explanation of the invention as claimed. 
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The accompanying drawings, which are included to provide a further understanding 
1 0 of the invention and arc incorporated in and constitute a part of this specification, illustrate 
embodiments of the invention and together with the description serve to explam the 
principles of the invention. In the drawings: 

Fig. 1 is schematic diagram illustrating the interconnections of the management 
station, the network and the enforcement devices of the present invention; 
25 15 Fig- 2 depicts a general-purpose computer and its resources of the present invention; 

Fig. 3 is a flow diagram illustrating the process steps performed by the software 
product for creating and storing the objects of the present invention; 

Fig. 4 illustrates a stored file of objects and their references to the methods and data 
necessary to execute the object of the present invention; 
20 Fig. 5 illustrates a hierarchy of systems executing multiple software products of the 

present invention; and 

35 Fig. 6 is a flow diagram illustrating the process steps of the software product for 

deserializing and executing objects of the present invention. 



30 



25 DETAILED DESCRIPTTON OF THE PREFERRED EMBODIMENTS 
40 

Reference v^U now be made in detail to the preferred embodiments of the present 
invention, examples of which are illustrated in the accompanying drawings. 
45 Fig. 1 illustrates a schematic diagram of a general network and its connected network 

30 devices. The management station 100 comprising an interface 101 is connected to network 
1 10. Network HO can be a WAN, LAN, INTERNET, or similar type networic wherein 
devices are inter-connected and control, i.e., poHcy, is desired. The intermediate network 
devices, such as switch 120, smart NIC, 130 and 180, repeater 140, router 160, bridge 170 

S 
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and hub 190 are connected to network 1 1 0. Peripheral devices such as fax 150, include but 
are not limited to, printers and modems are connected to any one of the intermediate devices. 
The intemfiediate network devices are coupled to an active packet (AP) execution engine, as 
depicted in Fig. 1 , which provides resources for executing an active packet created by the 
5 management station 1 00 pursuant to the policy definition language (PDL) and transferred to a 
network intermediate or end device. 

Fig. 2 illustrates the resources of management station 100 and Fig. 3 depicts a flow 
diagram of the process steps executed by the PDS software product utilized by the 
management station 100 of the present invention. 
1 0 The system administrator inputs instructions representing policy through a interface 

101, which includes but is not limited to a graphical user interface GUI, of management 
station 100. As shovm in Fig. 2, the management station 100 comprises a general purpose 
computer operating pursuant to a first software product providing a user interface for 
inputting instructions representing system policy. The general -purpose computer includes, 
25 15 but is not limited to, an IBM, IBM-clone, UNIX workstation, Macintosh, Sun Microsystems, 

or similar computer capable of executing an policy definition system. The management 
station 100 operates pursuant to an operating system including, but not limited to, Windows 
or Windows NT, UNIX, OS/2, Mac OS 8.0 or similar operating system. 

The management station 100 includes a processor 210, memory 220 running a 
20 general -purpose operating system, and an engine operating pursuant to PDS software 230 
such as JAVA Virtual Machine operating pursuant to JAVA. The management station 100 
further includes a graphical GUI engine 240 and a smart NIC 250 which provides access to 
the network 1 1 0. The system administrator proceeds to input the instructions representing 
policy in the form of rules. The rules can be generated at the time of the input and saved for 
25 future reference or they may have been previously generated to handle specific policy 

situations and stored in the memory 220 or some other memory device connected to network 
110 for later access. In one embodiment basic rules are pre-determined and selected jBrom a 
table and populated with at least one variable and a method using the GUI 240 and stored in 
memory 220. 

30 For example, the system administrator may decide that the system traffic is very 

heavy on Mondays and Fridays causing system congestion, resulting in a degradation of 
system performance. The administrator can implement a policy whereby Internet access may 
be limited or totally eliminated during working hours on Mondays and Fridays. The policy 
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will be created and dispatched to the appropriate network devices to effectuate this policy. In 
Fig. 1 this may be the smart NIC/AP engine combination 130, Router/AP engine combination 
160, or Switch/AP engine combination 120 working alone or in combination to effectuate the 
policy for disabling Internet access on the dates and times in question. The reader should 
note that from this point on in the disclosure that a reference to switch 120» smart NIC 130, 
repealer 140, router 160, bridge 170, and hub 190, of Fig. 1. also includes the AP engine that 
the aforementioned devices are in communication with. 

The rules contain a variety of information necessary to effectuate the current policy or 
policies dictated by the system administrator. For instance, the rules may contain information 
which includes, but is not limited to, network and transport layer source addresses, network 
and transport layer destination addresses, protocol(s). time of action, conditionals, e.g. if time 
of day is between 8:00 a.m. and 5:00 p.m. disable Internet access, and other variables related 
to the execution of the policy by the network devices. 

The process steps, performed by the software product running on management station 
100, for the transformation of the rules to active packets will be described with reference to 
the flow diagram of Fig. 3 and process steps 3 10 through 380 illustrated therein. The AP 
engines depicted in Fig, 1 are devices capable of executing active packets, operating 
independently of the legacy systems supporting the network devices, and are configured as 
shown in Fig. 5. A discussion of the AP engine and its interrelationship with the base 
operating system will now ensue before continuing with the detailed description of the 
present invention. 

In Fig. 5 the legacy systems 510 perform base services 520, which include, but are not 
limited to, recognizing input from the keyboard, sending output to the display screen, keeping 
track of files and directories on the memory devices, and controlling peripheral devices. The 
legacy systems can also perform policy enforcement, but require the system to be rebooted to 
purge the system of any currently executing policy. The AP engine is a self-contained 
operating environment that behaves as if it is a separate computer, i.e., similar in many 
respects to a virtual machine (VM). An example of a special type of AP engine is the JAVA 
Virtual Machine (JVM), which executes active packets. Since JAVA is an object-oriented 
language, the active packets executed by the JVM are JAVA objects. JAVA objects and 
JAVA applets are executed by the JVM on a level above the host operating system, i.e., 
legacy system. 
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The AP engine design has two main advantages: 1) System independence, wherein an 
application, i.e.. active packet, will run ihe same regardless of the hardware and software 
underlying the system, hence, an active packet formatted to execute on the AP engine can 
also be executable by a VM or a JVM; and 2) Security, since the AP engine has limited or no 
5 contact with the operating system, there is little possibility of an active packet damaging files 
or applications running on the legacy systems 5 1 0; this approach allows for the dynamic 
transfer and execution of active packets, i.e., objects or codes, without having to reboot the 
AP engine or legacy system, thereby interrupting the base services 520 being provided by the 
legacy systems 510. 

1 0 As shown in Fig. 1 and the flow diagram of Fig. 3, the rules are inputted into 

management station 100 pursuant to step 310. After entering the rules, the rules are 
transformed into objects at step 320, each object having a format. The format comprises a 
data structure established according to and AP executable representation particular to the 
network device that wiD enforce the policy. Objects are higher level representations of the 

15 policy to be enforced by die enforcement devices 120, 130, 140, 160, 170, or 190 distributed 
throughout the network. In a preferred embodiment the created objects are active objects. 

The rules are then transformed into objects by instantiation of classes m the 
management station 100 pursuant to the step 320. At step 330 the object is encoded. In a 
preferred embodiment the encoding is encapsulation. Encapsulation is a process whereby the 

20 objects representing one or more rules representing a policy is encoded making the object 
transportable. The encoding process removes the environment specific parameters from the 
object, thereby making it mobile. In a most preferred embodiment, the JAVA method of 
serializing the object is the encoding method employed. Programming languages which 
support the creation of objects, include, but are not limited to, JAVA, C-H-, CAML, Python, 

25 and Smalltalk. 

At step 340 the software optionally signs the object file. The purpose of the signature 
is to provide the enforcement devices with information to allocate rights and privileges to the 
objects contained within the object file when the object or objects are executed on the 
enforcement device, i.e., one of the network devices 120, 130, 140, 160, 170, or 190 of Fig. 1. 
30 ' In a preferred embodiment the signature comprises a digital signature. 

At step 350 the software stores the file on a memory device containing the objects 
along with their references to variables and methods necessaiy to execute the objects. A 
typical object file is depicted in Fig. 4, wherein the encoded object and references to the 
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encoded object are stored to a file or archived. The object file and its variables and any 
required methods for execution can be stored on a conimon memory device or on a directoo' 
server or distributed database. The object file and its variables can also be stored on 
management station 100, the network 1 10, or one of the policy enforcement devices as long 
references are provided so that the policy enforcement devices can access the appropriate 
memory device address to retrieve the necessary data for execution. 

At step 360, the management station 100 signals the pohcy enforcement device that 
nev^ poIic>', in the form of an object file, is available. Management station 100 either 
forwards the object file containing the required variables and methods or references to the 
variables and methods to execute the object and enforce the policy to the network 110 or to 
some other memory device, i.e. directory server, distributed database, etc., pursuant to step 
370. It should be noted that since the network 110 generally operates on several levels each 
requiring different protocols that the variables and methods must be formatted, with the 
appropriate data structures and protocol, at management station 100 by the PDS software. 
The formatting is necessary to accommodate the myriad parameters necessary for a 
successful transmission and execution of the object and hence tlie enforcement of the specific 
portion of the policy assigned to that network device. 

The technique of using objects to represent and enforce policy permits the dynamic 
modification of pohcy without having to reboot the enforcement device to purge it of a 
previous policy. Multiple policy rules are capable of being supported concurrently on each 
network device equipped with an AP engine. In the event that inconsistent policy rules are 
scheduled to be executed on the same enforcement device, several alternatives are available. 
A first or last in time approach can be taken wherein either the first policy rule or last policy 
rule provided to the enforcement device will take priority. 

If the first in time approach is taken, the object representing the new policy rule may 
be loaded into memory, but the system resources will not be allocated to it until the first 
process is concluded. In the latter approach the first process may be terminated and its 
variables and states along with the attendant resources allocated to its execution are returned 
to their initial states before the execution of the new policy rule. Other approaches, as 
determined by the system administrator, can be implemented to overcome conflicts between 
objects and will be apparent to persons of ordinary skill in the art, and therefore will not be 
discussed at this time. 
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An example of the above process will now be given. The system administrator at 
management station 1 00 inputs a rule to discontinue traffic between hub 190 and the users 
attached to that node. The rule in question is selected from a table accessed by a GUI 101 
being executed on management station 100. The rule is then converted into an object, 
encoded vwth the proper format, i.e., data structures and protocol for the network device or 
devices that it is intended to be executed on, then saved into an object file, which is digitally 
signed. The object file along with any implementing code or data is sent to the network 1 1 0 
to be stored. In this example the object file and its attendant code, here code refers to the 
methods and data necessary to execute the object in the file, will most likely be sent to hub 
190, or router 1 60, or stored at the management station 100 in the memory 220. It should be 
noted that storing the object at management station 100 is not the preferred storage location. 
This is because if management station 100 is busy because of system congestion or loses its 
connection to the network 1 1 0 then the code and/or object necessary to effectuate the policy 
by the network devices 1 60 or 190 will not be accessible. 

Either hub 190 or router 1 60 can enforce the policy established by the system 
adrainistiator. Router 1 60 could perform a primary or secondary function or it could 
complement hub 1 90 by enforcing a portion of the policy. Conversely, the object could be 
designated as private code signed such that only hub 190 or router 1 60 is permitted to access 
and execute the object file. The network devices have resources, i.e., logic, to receive and 
read the object provided by the management station 100 thereby determining access and 
execution rights and privileges. The following discussion will be premised on hub 190 being 
the only network device involved in this particular policy enforcement 

Fig. 6 depicts a flow diagram of the process steps performed and an execution 
environment set up by the software running on the AP engine at hub 1 90. At step 610, the 
AP engine is signaled that a new object or objects are ready for its use and execution. 
Pursuant to step 620 hub 190 accepts the object file or instruction to retrieve the object file 
and any code necessary to execute the object in the file. The object file signature is 
optionally verified, pursuant to step 630, and an execution environment 640 is established to 
execute the obj ect. 

The establishment of the execution environment step 640 is to provide base services 
to the object for its use in its execution. This will include, but is not limited to. setting and 
clearing filters, setting and clearing timers, reading and writing states within the network 
device related to congestion, priority-based forwarding, and similar operations. The AP 
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engine is capable of executing multiple objects concurrently on hub 190. Pursxiant to step 
650 hub 190 will then decode the object, i.e., examine the data within the object which 
specifies the variables and methods required for that object, and access its memory for the 
variables and methods necessary to execute the object. If the variables and methods required 
by the object are not available in its memory, it will then retrieve and extract the variables 
and methods from the appropriate memory device, i.e., directory server or distributed 
database, using the references provided within the object by management station 100. As 
previously noted, the object may be designated as a private code and only accessed and 
executed by a particular network device. 

After having retrieved the necessary methods and data to execute the object the object 
will be executed pursuant to step 660. In a preferred embodiment the decoding process is a 
method of unwrapping the encapsulated object. In a most preferred embodiment the 
decoding process is the JAVA method of de-serializing the object The thread of execution 
associated with each object will then be executed invoking the method that the object 
implements, thereby providing hub 1 90 with the resources and functionality necessary to 
enforce the policy and block all traffic beyond its node. 

The policy represented by the object at hub 190 may be of a limited duration or 
perpetual until either it is replaced or canceled by a subsequent object Since the objects are 
capable of executing dynamically, without the need to power down the network device as in 
the conventional case, the implementation and modification of an object can be performed 
without regard to the ftmctioning of the legacy system 510. 

In general a currently running object that is scheduled to be terminated by a 
subsequent object will not terminate until tiie subsequent object is executed by its thread of 
execution. When a thread completes execution, the environment reclaims any resources it 
has allocated to it (in some systems this may be automatic, for example by system-wide 
garbage collection), and then determines what to do with the implementing code. It may 
decide to retain it in its code file library, or it may discard it 

If the network administrator wishes to stop the execution of the thread associated witii 
an object, he uses the management station 100 to signal the network device to terminate tiie 
object's thread. Reasons for such temiination include, but are not limited to, the network 
policy has changed or the administrator vinshes to correct a mistake made in a previous policy 
specification. The enforcement device can also terminate the execution of an object's thread. 
This may be necessary, but is not limited to, an over consumption of resources, or when the 
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signer of the object is no longer trusted to execute code on the device, or the period over 
which the poHcy was being enforced has expired, or the triggering condition no longer exists 
oh the system. 

In an embodiment of the present invention the object is executed on a JAVA Virtual 
Ndachine (JVM) or similar device capable of running a mobile language such as, but not 
limited to, CAML, JAVA, Python, Smalltalk. 

In an alternative embodiment, active networkmg can be perfonned using a script 
progranuning language (SPL) such as, but not limited to. Practical Extraction and Report 
Language (PERL), Tool Command Language (TCL), or shell type programming language. 

The above-described embodiments of the present invention can be employed in any 
type of system wherein an AP engine, VM, or similar device has been established with the 
device and provides resources to enforce policy at the network device using the above- 
described active networking principles. Active networking includes, but is not limited to, 
sending active packets, i.e., objects or code, to a network device or a network intermediate 
device by the network management station in order to tailor network device behavior 
according to some system administration objective. Active networking also permits 
applications to send active packets to network devices, which lie between them and the 
destination of their traffic. 

As demonstrated, active nodes can provide a larger variety of functionality with the 
same amount of dynamic memory wherein a passive network device must contain all of the 
code implementing its full feature set. Once a passive device is deployed, its feature set may 
only be modified by loading a new version of the software. Conversely, an active node need 
only have the code resident that is necessary to support the features currently in use and is 
capable of dynamic change without rebooting the device. 

In addition to the active packet services described above, the AP engine provides the 
following general services. It provides a multiplexing substrate for executing threads. This 
allows the code from multiple active objects to execute concurrently without adversely 
affecting the executions associated with other active objects. It provides a security subsystem 
for controlling access to active node resources. These resources may be native to the node, 
such as clocks, buffer memory, or network interfaces or they may be logical resources created 
by shared libraries or representing exported entry points of executing active code. 

An active node is a device operating pursuant to a general-purpose operating system, 
such as one of the varieties of UNIX or it may be operating pursuant to an existing 
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networicing device, which generally uses a proprietary or commercially supported real-time 
operating system (RTOS). The term software-based active node is used to describe the 
former and the term hybrid active node to describe the latter. In both cases only a part of the 
device is dedicated to active networking. 

Traditionally, network devices do not support the notion of multi-user computations, 
even if they are based on multiprogramming operating systems, such as UNIX. While there 
may be administrative access control, which assigns different privileges to different users, 
generally these do not translate into processes running in separate address spaces. Rather, the 
privileges are normally assigned to the terminal connection or console port, which the 
administrator uses. 

Active networking introduces new requirements that lead to more sophisticated access 
control mechanisms. For example, active code in execution may wish to communicate with 
other executing active code. The two threads may represent computations carried out on 
behalf of two different principals. This active networking provides for more dynamic system 
administration and enforcement, heretofore not provided nor contemplated by conventional 
means. 

The foregoing description of a preferred embodiment of the invention has been 
presented for purposes of illustration and description. It is not intended to be exhaustive or to 
limit the invention to the precise forms disclosed. Obviously, many modifications and 
variations will be apparent to practitioners skilled in this art. It is intended that the followng 
clakns and their equivalents define the scope of the invention. 
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WHAT IS CLAIMED IS : 

1 . A system for dynamic policy management in a network, comprising: 
a management station coupled to said network, the management station including 
5 resources to store data defining policy rules for a device in the network; 

resources in the management station for producing an active packet including at least 
a variable and a method in response to the data defining the policy rule, the active packet 
15 having a format; and 

resources in the management station for sending the active packet to the network 
1 0 device adapted to read and execute the active packet according to the format 
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2. The system according to claim 1, wherein the format comprises a data 
structure established according to a mobile progranwning language executable at the network 
device. 

15 

3. The system according to claim 2, wherein the data structure comprises an 

object 

4. The system according to claim 3, wherein the object comprises a JAVA 



20 object 

35 5. The system according to claim 4, wherein encoding is performed on the JAVA 

object. 

25 . 6. The system according to claim 5, wherein the encoding comprises 

serialization. 

7. The system according to claim 2, wherein the resources for sending include 
45 logic to transmit one of the variable and the method and a reference to the variable and the 

30 method to the network device. 



The system according to claim 2, wherein the format of the mobile 
programming language supports co-location. 
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9. The system according to claim 2, wherein the format of the mobile 
programming language supports enforcement by multiple network devices. 

10, The system according to claim 2, wherein the network device is an 
intermediate network device. 

1 L The system according to claim 1. wherein the active packet comprises an 
object specified according to a mobile programming language, and the resources for sending 
include logic to encode the object 

1 2. The system according to claim 1 1 , wherein the mobile programming language 
comprises a scripting programming language, 

13. The system according to claim 12, wherein the scripting programming 
language comprises one of PERL, TCL, and a shell type programming language. 

14. The system according to claim 12, wherein the format of the scripting 
programming language supports co-location. 

15. The system according to claim 12, wherein the format of the scripting 
progranuning language supports enforcement by multiple network devices. 

16. The system according to claim 2, wherem the mobile programming language 
comprises an object. 

1 7. The system according to claim 16, wherein the object comprises a JAVA 

object 
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18. The system according to claim 1 7, wherein encoding is performed on the 
JAVA object. 

1 9. A system for dynamic policy management in a network, comprising: 

a network device coupled to said network, the network device including resources 
receive an active packet representing a policy rule from a second device in the network, the 
active packet having a format; 

resources in the network device for decoding the active packet according to the 
format, the active packet includmg a variable and a method; and 

resources in the network device for executing the active packet. 

20. The system according to claim 19, wherein the format comprises a data 
structure established according to a mobile programming language. 

21. The system according to claim 20, wherein the data structure comprises an 

object. 

22. The system according to claim 21, wherein the object comprises a JAVA 

object. 



23 . The system according to claim 20, wherein the mobile programming language 
comprises JAVA. 



24. nie system according to claim 19, wherein the resources for receiving include 
logic to receive one of the variable and the method and a reference to the variable and the 
method from the second network device. 

25. The system according to claim 19, wherein the format of the active packet 
supports co-location. 

26. The system according to claim 19, wherein the format of the active packet 
representing policy supports enforcement by multiple network devices. 
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27. The system according to claim 19, wherein the network device comprises a 
network intermediate device. 

28. The system according to claim 27, wherein the network intermediate device 
comprises a router. 

29. The system according to claim 27, wherein the network intermediate device 
comprises a hub. 

30. The system according to claim 27, wherein the network intermediate device 
comprises a switch. 

3 1 . The system according to claim 27, wherein the network intermediate device 
comprises an adapter. 

32. The system according to claim 27, wherein the network intermediate device 
comprises a NIC including the resources for executing the active packet. 

33. The system according to claim 27, >^iierein the network intermediate device 
comprises a bridge. 

34. The system according to claim 27, wherein the network intermediate device 
comprises a repeater. 

35. The system according to claim 20, wherein the mobile programming language 
comprises a scripting programming language. 
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36. The system according to claim 35, wherein the scripting programming 
language comprises one of PERL, TCL, and a shell type programming language. 

37. The system according to claim 35, wherein the scripting programming 
language supports co-location. 



38. The system according to claim 35, wherein the fonnat of the active packet 
representmg policy supports enforcement by multiple network devices. 

39. A system for dynamic policy management in a network, comprising: 

a management station and a network device coupled to said network, wherein the 
management station includes: 

resources to store data defining a policy rule for a device coupled to the network; 

resources in the management station for producing an active packet including a 
variable and a method in response to the data defining the policy rule, the active packet 
having a format; and 

resources in the management station for sending the active packet to the network 
device, wherein the network device includes resources to receive, decode, and execute the 
active packet according to the fonnat. 



40. The sj^stem according to claim 39, wherein the format comprises a data 
structure established according to a mobile programming language executable at the network 
device. 

41 . The system according to claim 40, wherem the data structure comprises an 

object. 



42. The system according to claim 41 , wherein the object comprises a JAVA 
object and the resources for sending include logic to encode the object. 

43. The system according to claim 42, wherein the resources for sending include 
logic to transmit the variable and one of the method and a reference to the method to the 
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5 nerwork device. 

44. The system according to claim 43, wherein the method of encoding the object 
comprises serialization. 

45. The system according to claim 44, wherein the mobile programming language 
comprises JAVA. 

46. The system according to claim 45, wherein the resources for receiving include 
1 0 logic to receive the variable and one of the method and reference to the method from the 

management station. 

47. The system according to claim 40, wherein the mobile programming language 
comprises a scripting programming language. 

48. The system according to claim 47, wherein the scripting programming 
language is one of PERL, TCL, and a shell-type programming language. 

49. The system according to claim 47, wherein the scripting programming 
20 language supports co-location. 

50. The system according to claim 47, wherein the scripting programming 
language supports enforcement by multiple network devices. 

25 51 . The system according to claim 47, wherein the network device comprises an 

intermediate network device. 
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52. A system providing dynamic policy management by a method, the system 
comprising: 

an interface adapted to receive instructions characterizing policy regaixiing control of 
a network; and 

an active node connected to the interface which provides a packet to the network* the 
packet including one of a variable and a method and a reference to the variable and the 
method, executable on the network to set up a process to enforce at least a portion of the 
policy. 

53. The system providing dynamic policy management according to claim 52, 
wherein the instructions characterizing policy comprise one or more rules defining policy. 

54. The system providing dynamic policy management according to claim 53, 
wherein the active node includes logic to translate the one or more rules into the packet 

55. The system providing dynamic policy management according to claim 52, 
wherein ihc packet comprises a data structure created according to a policy definition 
language. 

56. The system providing dynamic policy management according to claim 55, 
wherein the policy definition language comprises a mobile programming language. 

57. The system providing dynamic policy management according to claim 56, 
wherein the mobile programmmg language comprises an object oriented programming 
language. 

58. The system providing dynamic policy management according to claim 57, 
wherein the objea-oriented programming language comprises JAVA. 
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59. The system providing dynamic policy management according to claim 56, 
wherein mobile programming language comprises a scripting programming language. 

5 60. The system providing dynamic policy management according to claim 59, 

wherem scripting programming language comprises one of PERL, TCL, and a shell-type 
programming language. 

6 1 . The system providing dynamic policy management according to claim 52, 
1 0 wherein the active node comprises resources to signal a node on the network that a new 

policy is available, and wherein the node retrieves a packet file containing one of the packet 
and a reference to the packet, and operates pursuant to a second process. 



62. The system providing dynamic policy management according to claim 61, 
25 1 5 wherein a management station includes logic to combine plurality of packets within the 

packet file wherein the data in the packet file indicates privileges that the packet is granted. 



63. The system providing dynamic policy management according to claim 62, 
wherein the packet file data comprises a digital signature. 
20 64, The system providing dynamic poiic}' management according to claim 63, 

including resources to store the packet on the active node. 

65. The system providing dynamic policy management according to claim 64. 
>^^erein the packet is stored on a memory device on the network 

25 

66. The system providing dynamic policy management according to claim 52, 
wherein the packet supports co-location. 

^5 67. The system providing dynamic policy management according to claim 52, 

30 wherein the packet supports enforcement by multiple network devices. 



68. The system providing dynamic policy management according to claim 52, 
>^^erein the network device comprises an intermediate network device. 
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69. The system providing dynamic policy management according to claim 67, 
wherein the network device comprises a node. 

70. The system providing dynamic policy management according to claim 52, 
wherein the network node comprises a second active node. 

71. A system providing dynamic policy management by a method, the system 
comprising: 

an network node adapted to receive a packet, created by a first process, representing 
policy for control of a network; and 

resources in the network node capable of executmg a packet including one of a 
variable and a method and instnicdons to locate the variable and the method, executable on 
the network node to enforce a portion of the policy. 

72. The system providing dynamic policy management according to claim 71 , 
wherein the packet comprises a data structure created according to a policy definition 
language. 

73. The system providing dynamic policy management according to claim 72, 
wherein the policy definition language comprises a mobile programming language. 

74. The system providing dynamic policy management according to claim 73, 
wherein the mobile programming language comprises JAVA. 

75- The system providing dynamic policy management according to claim 73, 
wherein mobile programming language comprises a scripting programming language, 

76. The system according to claim 75, wherein the scripting programming 
language is one of PERL, TCL, and a shell-type programming language. 

77. The system providing dynamic policy managing according to claim 71, 
wherein the network node includes resources to signal a node on the network that a new 
policy is available, and wherem the node retrieves a packet file containing one of the packet 
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and a reference to the packet and operates pursuant to a second process. 

78. The system providing dynamic policy management according to claim 71, 
wherein the packet supports co-location. 

79. The system providing dynamic policy management according to claim 71» 
wherein the active packet supports enforcement by multiple network devices. 

80. A system for dynamic pohcy management in a network, comprising: 

an active node and a network node coupled to said network, -wherein the active node 
includes: 

resources to store data defining a policy rule for a device coupled to the network; 

resources in the active node for producing a packet including a variable and a method 
in response to the data defming the policy rule; and ^ 

resources in the active node for sending a packet file containing one of the packet and 
a reference to the packet to the network node, wherein the network node includes resources to 
receive, decode, and execute the packet 

81. The system according to claim 80, wherein the packet comprises an object 
specified according to an policy definition language, and the resources for sending include 
logic to encode the packet 

82. The system according to claim 81, wherein the resources for sending include 
logic to transmit one of the variable and the method and the reference to the variable and the 
method to the network node. 
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83. The system according to claim 8 1 , wherein the policy definition language 
comprises a mobile programming language. 

5 84. The system according to claim 83, wherein the mobile programming language 

comprises JAVA and the packet comprises a JAVA object. 

15 85. The system according to claim 84, wherein a method of encoding the JAVA 

object comprises serialization. 

10 

86. The system according to claim 83, wherein the mobile programming language 
comprises a scripting programming language. 
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87. The system according to claim 86, wherein the scripting programming 
25 ^ ^ language is one of PERL, TCL, and a shell-type programming language. 

88. The system according to claim 80, wherein the resources for receivmg include 
logic to receive one of the packet and a reference to the packet from the active node. 
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20 89. The system according to claim 8 1 , wherein the policy defkdtion language 

supports co-location. 

90. The system according to claim 8 1 , wherein the policy defmition language 
supports enforcement by multiple network nodes. 



45 



50 



11 



55 



wo 00/41091 



1/5 



PCT/US99/28199 




wo 00/41091 



2/5 



PCT/US99/28199 




wo 00/41091 



3/5 



PCT/US99/28199 



r 



Start 



Input Rules Dc 


scribing Policy 




r 


Create Active Packet 






Encode Active Packet 


\ 




Sign Active Packet RIe 




r 


Save Active Packet File to Memory Device 


\ 




Signal Network Devlce(s) that an AcUve Packet is 
Available for Execution 


1 


r 


Transfer Active Packet or Instructions to 
Retrieve Active Packet to Netvrork Device 



310 



320 



330 



340 



350 



360 



370 



Stop 



:) 



FIG. 3 



wo 00/41091 



4/5 



PCT/US99/28199 



Encoded Active Packet # 
1 



Encoded Active Packet # 
2 



Encoded Active Packet # 
N 

Reference to Executable/ 
Data for Active Packet # 1 

Reference to Executable/ 
Data for Active Packet # 2 



Reference to Executable/ 
Data for Active Packet # N 



FIG. 4 



ARCHIVE / RLE 



ACTIVE PACKETS 






AP ENGINE 




BASE SERVICES 




LEGACY SYSTEMS 





SYSTEM HIERARCHY 



FIG. 5 



wo 00/41091 



5/5 



c 



Start 



J 



Receive Signal that Active Packet is Available 



AcceptfRetrieve Active Packet File 



Verify Signature 



Setup Execution Environment 



PCT/US99/28199 



610 



620 



630 



640 



Decode Active Packet File 



650 



Execute Active Packet 






\ 


r 


Tenninate Active Packet 






.1 


r 



stop 



660 



670 



FIG. 6 



INTERNATIONAL SEARCH REPORT 



Iruemationaf application No. 
PCT/US99/28199 



A. CLASSIFICATION OF SUBJECT MATTER 
rPC(6) :G06F 15/173 

US CL :709/223. 245 

According to Imemaiional Paieni CUssificaiion (IPC) or to both na tional clasiification and IPC 

B. FIELDS SEARCHED 

Minimum documentation searched (classification system foiiowed by classification symbols) 
U.S. : 709/201.223 . 224. 226,244 . 243, 300, 303; 370/231. 242. 464. 465 

Documcmation searched other than minimum documentation lo the extent that such documents are induced in the fields searched 
IEEE periodicals & conferences 

Electronic data base consulted during the international search (name of data base and. where pracUcabte. search terras used) 
EAST text search terms: network policy, network managcmcnt/nwniioring. Java. OOP. MIB. ORB 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 

Category* Ciution of document, with indication, where appropriate, of the relevant passages Relevani to claim No. 

Y US 5.426,421 A (GRAY) 20 JUNE 1995 1-90 

ABSTRACT, Column 2, Lines 4-41. Column 3, Line 48 through 
Column 5, Line 13, Column 8, Line 65 through Column 13, Line 61 

Y,P US 5,889,953 A (THEBAUT et al.) 30 MARCH 1999 1-90 
ABSTRACT, Column 2, Lines 4-42. Column 3, Line 16 through 
Column 6, Line 23. Column 11, Lines 33-48, Column 13, Line 22 
through Colunm 14, Line 4 

Y" AGHA, G.A.; "Modular heterogeneous system development: a 1-90 
critical analysis of Java^ Proceedings of the Sevenih Heterogeneous 
Computing Workshop. 30 MARCH 1998; IEEE Catalog number 
98EX126; ISBN: 0-8186-8365-1; pages 144-155 



~xl Further documents are listed in the continuation of Box C. See patent family annex. 



' Speciil niegonct oi ciied (tocumenu: 

A ' ducuncm defmrns Uic gcncnl sutc u( ihir an which is txx coosidered 

lo bt of pantnilar relevance 

E' earlier bocumcm pubtuhed on or after the tmerrational niing One. 

L" documem wtiich may throw dot^s on priortiy daitnts) or whteh is 

cited CO euablifih the pubtication daic of anotber cttattoa or other 
special reason {at ipcdfiod} 

O" docmjcm rcfarinj ro an orii fliickutirc, use, exhibition or othtr 

meaos 

P' doctanem pubtished prior to (he imemaiiorul ftlinf date but taicr than 



taier dociunent published After the iRtemaitmal Tiling date or prwriiy 
ditic and im in conflict with the appticaiion but ciied to underaanl the 
pnnci{>lc or theory undertyitii the invention 

document of part'tcutar relevance: the claimed invemtim cannoi be 
cansidefcfl novel or ciuinot be umsidered lu involve an inveniitc ucp 
when ttK document it takes alone 

drxumeru uf panicutar relevince: the claimed invention cannoi foe 
considered lo involve an invemivc step when the doctitneifl is 
combioed with ore or more other such Oocumems, such enmhinatiufi 
being obvious to a pcrtoa sltilled in the ait 

ducuniefM member of die same patent tmiif 



Date of ihe actual comptetion of ihe iniemationaJ search 
25 FEBRUARY 2000 


Dale of '"g'^ |{|'^^f?"2tKj(r' ^"'^^^ ^^P^n 


Name and mailing address ot the ISA/US 
Commissioner of Paienu and Trademarks 
Boa PCT 

WishingiOB. D.C. 2023 1 
Facsimile No. (703) 305-3230 


Authorized offiuer^ ^^r, * 

.MARC THOMPSON ^^y'^ 
Telephone No. (703) 30^0900 



Form PCT/ISA/210 (second sheet)(July 1992) 



INTERNATIONAL SEARCH REPORT 



Iniemational application No. 
PCT/US99/28199 



C (Conlinuation). DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* Ciuiion of document, with indication, where appropriate, of ihc relevant passages 



Relevant to claim No. 



A,P 
A,P 
A,P 
A,P 
A.P 



US 6,000.045 A (LEWIS) 07 DECEMBER 1999 
Entire document 

US 5,905.900 A (COMBS ct aL) 18 MAY 1999 
Entire document 

US 5,893,083 A (ESHGHI et al.) 06 APRIL 1999 
Entire document 

US 5,872,928 A (LEWIS et al.) 16 FEBRUARY 1999 
Entire document 

US 5,870,561 A (JARVIS et al.) 09 FEBRUARY 1999 
Entire document 

US 5,608,720 A (BIEGEL et aL) 04 MARCH 1997 
Entire document 

MAZUMDAR, S, et aL; "Design of Protocol Independent 
Management Agent to Support SNMP and CMIP (jueries"; 
Integrated Network Management, III; Elsevier Science Publishers 
B.V. (North-Holland), pages 377-388 



1-90 
1-90 
1-90 
1-90 
1-90 
1-90 
1-90 



Form PCTnSA/210 (cominuaiion of second sheei)(July 1992)» 



THIS PA^E BLANK (usm) 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of the original 
documents submitted by the appHcant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SffiES 
t^FADED TEXT OR DRAWING 
(^BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: ■ 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



